information and technology for better decision making · pdf file ·...
TRANSCRIPT
Information and Technology for Better Decision Making
1
DoDDecentralized Smart Card Issuance
Lynne PrinceJuly 16, 2003
Information and Technology for Better Decision Making
22/3 of Smart card Issuance is hidden from view
How is an iceberg like a
Smart Card Issuance Program?
Information and Technology for Better Decision Making
3
2/3 of Smart Card Issuance is hidden from view
Information and Technology for Better Decision Making
4
Overview
• Business Drivers of the DoD Common Access Card Issuance (CAC)
• High Level Architecture of the CAC Issuance System
• CAC Issuance System Maintenance Considerations
• Future CAC Issuance Directions
Information and Technology for Better Decision Making
5
DMDC Partnerships
Information and Technology for Better Decision Making
6
Business Rationale for Decentralized Issuance
• DMDC has successful experience with large scale, enterprise solutions related to identity management
• DoD already had a centralized Identity model –DEERS
• DoD already had a decentralized ID card issuance model – RAPIDS
Information and Technology for Better Decision Making
7
Business Rationale for Decentralized Issuance
• Reduce operational cost to retrofit existing system to handle smartcard issuance– Hardware in place– Modularized Software which could be enhanced– Trainers, Trusted officials and Installers already
established– 24 x 7 Help Desk already available
• Shorten time to the market for DoD PKI program
• Improve security and reduce the potential for fraud
Information and Technology for Better Decision Making
8
DEERS/RAPIDS is a Person Based DoD Benefit Delivery SystemDEERS - over 25,000 users throughout DoD, 23 million recordsRAPIDS - 1500 workstations at 900 sites in 13 countries
ARMY, NAVY, AIR FORCE, MARINE CORPS, COAST GUARD, NOAA, PUBLIC HEALTH
The Decentralized System
Information and Technology for Better Decision Making
9
High Level Architecture
• RAPIDS System High Level Architecture– RAPIDS Server – RAPIDS Workstation – DEERS– CAC Issuance Portal– Common Access Card
RAPIDSServer
RAPIDSWorkstation
DEERS
IssuancePortal
CertificateAuthority
Information and Technology for Better Decision Making
10
RAPIDS Server
• Serves as the Windows NT Domain Controller for a site or group of sites– Manages computers that are part of the domain– Manages users of the domain
• Stores DEERS user data in internal Oracle database• Stores Offline data in internal Oracle database• Stores audited events in internal Oracle database• Serves as communication concentrator for some
remote sites
Information and Technology for Better Decision Making
11
RAPIDS Workstation
Information and Technology for Better Decision Making
12
RAPIDS Workstation
• Main RAPIDS application runs on the workstation– Sponsor and Dependent data is maintained– DoD supplied benefits are calculated and displayed– Biometrics are captured and confirmed (photo and fingerprint)– Teslin and CAC identification cards are produced
• CAC’s are encoded
• Secondary Verifying Official (VO) Maintenance Application– Adds and maintains VO data on DEERS– Adds and maintains VO data at the assigned RAPIDS server
• Establish and maintains VO passwords– Maintains RAPIDS site data
Information and Technology for Better Decision Making
13
RAPIDS Workstation Cont’d
• RAPIDS Workstation and DEERS data exchange– All data exchange is over a Client-side Authenticated SSLv3
session using the VO’s identity certificate on their CAC– Data transmitted over the SSL connection in DEERS
proprietary format:• Family Data• Electronic Representations of ID Cards and Certificates• Photograph images• Fingerprint images and minutia templates
• RAPIDS Workstation and Issuance Portal dataexchange– All data exchange is over a Client-side Authenticated SSLv3
session using the VO’s identity certificate on their CAC
Information and Technology for Better Decision Making
14
RAPIDS Workstation Cont’d
• RAPIDS Workstation and RAPIDS server data exchange– The RAPIDS workstation relies on the RAPIDS server to
authenticate its users using normal NT domain logon procedures over NETBIOS
• CAC enabled workstations retrieve the users Logon ID and Password off of the CAC after the correct PIN is supplied
– The RAPIDS workstation makes ODBC database calls to the RAPIDS Server using the Advanced Security Option
• User and Site data is retrieved/updated• Audit information is written• Off-line data is written• Lookup Table data is retrieved
Information and Technology for Better Decision Making
15
RAPIDS Workstation Cont’d
• Major RAPIDS User Roles– Site Security Manager (SSM) - Manages users of the RAPIDS
application for a site.• 2 SSM’s at every site • Only SSM’s can run the secondary VO maintenance application
– Verifying Officer (VO) - Typical RAPIDS user• Sponsor and Dependent updates• Produce Teslin cards for Sponsors and dependents
– Verifying Officer /Local Registration Authority (VO/LRA) - VO’sthat have the added authority of producing the CAC
• Non-US Citizens can not be a VO/LRA– Super Verifying Officer (SVO) - Performs Reporting and Audit
data maintenance for a group of sites.
Information and Technology for Better Decision Making
16
RAPIDS Maintenance• Regular software releases
– Major releases on CD – 2x/year– Small updates are pushed to the RAPIDS Servers
• Hardware upgrades– Maintain extra equipment at strategic locations
– Installers provide hardware repair and replacement – Site maintains consumables
• Training and Help Desk– Maintain a program of Field Service Representatives– Provide a centralized Help desk – 24 x 7
• Technology refresh cycle – 5 year cycle– Hardware changes to support peripherals– New capabilities
Information and Technology for Better Decision Making
17
DEERS
• DEERS Person Data Repository– Sponsor and Dependent data is maintained– DoD supplied benefits are calculated and displayed– Biometrics are captured and confirmed (photo and fingerprint)– Teslin and CAC identification cards are produced
• Authentication/Access Maintenance Application– Adds and maintains SSM registration – Adds and maintains RAPIDS site registration– Adds and maintains VO data – Binds SSM and VO to DEERS application access
Information and Technology for Better Decision Making
18
DEERS High Level Architecture
• Layered approach to data access, preparation and transformation
database
CORE - encapsulates knowledge and function of data access
SERVER - encapsulates knowledge and function for data preparation
CLIENT - encapsulates knowledge and function for data transformation,display, and maintenance
Information and Technology for Better Decision Making
19
CLAIMSCLAIMS
PATIENTRECORDSPATIENTRECORDS
TUMORREGISTRYTUMOR
REGISTRYIMMUNIZATION IMMUNIZATION
DENTALINSURANCE
DENTALINSURANCE
RECRUITERINQUIRIES
RECRUITERINQUIRIES
RDDBRDDB
MGIBINQUIRIES
MGIBINQUIRIES
DBIDSDBIDSREPORTINGREPORTING DMDCPERSON
REPOSITORY
General Maintenance – Respond to User Requirements
NEONEO NEO LANGUAGESLANGUAGESRAPIDS/CACRAPIDS/CAC
JPASJPAS
DEERS Maintenance
Information and Technology for Better Decision Making
20
CAC Issuance Portal Architecture
SD
4
FOUNDRYNETWORKS
Console
Power
IP1 IP2 IP3 IP4 IP5 IP6 IP7 IP8
InventoryLogisticsSystem
CardRepository
System
IPAudit
System
IP9
Load BalancerILP Console
IP10
DenverIDCA ECA
ChambersburgIDCA ECA
Information and Technology for Better Decision Making
21
Load Balancing of RAPIDS sites− 10 NT Issuance Portal Servers− T-3 Disk Array storage for Backend systems
Load Balancing for Certificate Authorities• Group 1:
– Primary CA – Chambersberg, PA – Secondary CA – Denver, CO
• Group 2:– Primary CA – Denver, CO– Secondary CA – Chambersberg, PA
•Load Balancer - Balances production RAPIDS workstations across the 10 Issuance Portals.
CAC Issuance Portal Components
Information and Technology for Better Decision Making
22
• Issuance Portal (IP) - The Issuance Portal is dedicated to theinitialization and issuance of the CAC, the applications thatreside on the CAC, and the keys and credentials needed tosecurely use/issue the CAC.
• Card Repository System (CRS) - Manages the real estate and the capabilities of the Integrated Circuit Chips of the CACs.
• Inventory Logistics Portal (ILP) - Manages the logistics ofmaintaining and replenishing CAC stock inventoryquantities for individual CAC issuing sites and the DMDC organization
• IP Audit System - Records the commands requested by aRAPIDS system and the outcome of those commands
CAC Issuance Portal Components cont’d
Information and Technology for Better Decision Making
23
CAC Issuance Portal Components cont’d
• Inventory Logistics Console (ILC) - Provides DMDCmanagement and SSM’s the ability to maintain the ILP throughthe use of a GUI.
• Key Management System - Application for controlling key:Generation, Storage, Distribution, Use and Destruction
Information and Technology for Better Decision Making
24
Issuance Portal Maintenance• Regular software releases
– Support increased functionality of the PKI Program– Support new Smartcard/applet technology– Improve Performance and Security
• Hardware/Software upgrades – Migrate from NT server platform to Unix Issuance Portal– Migrate from an LDAP CRS to Oracle
• Technology refresh cycle – ?– Smartcard contactless technology– New 64K cards– Biometrics on the Smartcard– New security features
Information and Technology for Better Decision Making
25
Integrated Circuit Chip
Photograph
Magnetic Stripe
Printed Ghost Image
Organizational Seal
PDF 417 Bar Code
Printed Ghost Image
Code 39 Bar Code
Parker IV,Christopher J.
Armed Forces of theUnited States
Issue Date
2000SEP19Expiration Date
2003SEP18
Active DutyAir Force
Geneva Conventions Identification Card
Rank
SSGTPay Grade
E5
Optically Variable Device
DoD CAC
Information and Technology for Better Decision Making
26
Where are we Today?
Information and Technology for Better Decision Making
27
What is lies in the Future?
• RAPIDS redesign– In development – completed roll out by FY2005
• Issuance– Post issuance capability
• Email certificate renewal• Applet download
– Central Issuance Facility• RAPIDS like workstation• Web enabled interface• CAC mailed back to ordering site
• System Upgrade to PKI Release 4
Information and Technology for Better Decision Making
282/3 of Smart card Issuance is hidden from view
Questions
Lynne [email protected]